Tech Support Forum - View Single Post

ghsu · 07-02-2007, 08:21 PM

Thank you for replying so quickly. I have run both as you suggested.

ComboFix Log:
ComboFix 07-06-18.2 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-07-02 19:04:06 - Service Pack 2 NTFS

((((((((((((((((((((((((( Files Created from 2007-06-03 to 2007-07-03 )))))))))))))))))))))))))))))))

2007-07-02 08:38 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-01 23:29 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-01 22:40 786,432 --ah----- C:\DOCUME~1\ADMINI~1.GEO\NTUSER.DAT
2007-07-01 22:40 <DIR> d---s---- C:\DOCUME~1\ADMINI~1.GEO\UserData
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\WINDOWS
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\VERITAS
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\Symantec
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\SampleView
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\Real
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\Leadertech
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\InterTrust
2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\GlobalSCAPE
2007-07-01 22:05 234,718 --a------ C:\Temp\aZ001.exe
2007-07-01 22:05 <DIR> dra------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-07-01 22:04 <DIR> d-------- C:\Temp\iee
2007-07-01 13:40 <DIR> d-------- C:\WINDOWS\system32\CO
2007-07-01 13:40 <DIR> d-------- C:\WINDOWS\system32\CG
2007-07-01 13:10 <DIR> d-------- C:\WINDOWS\LG_Inno
2007-06-30 09:44 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-06-30 09:38 <DIR> d-------- C:\Program Files\Microsoft Works
2007-06-30 09:37 <DIR> d-------- C:\Program Files\MSBuild
2007-06-30 09:09 <DIR> dr-h----- C:\MSOCache
2007-06-27 16:23 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-06-27 16:23 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-03 02:01:51 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-02 15:20:26 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-07-02 05:05:43 -------- d-----w C:\Program Files\Windows NT
2007-07-01 23:57:38 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-01 01:56:51 11,973 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-30 16:05:44 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-06-30 04:01:17 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\dvdcss
2007-06-28 07:00:13 -------- d-----w C:\Program Files\NetAnts
2007-06-06 21:04:09 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-10 19:37:22 55,344 -c--a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-07 14:40:13 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\FALCOM
2007-05-06 16:39:46 -------- d-----w C:\Program Files\DAEMON Tools
2007-05-06 16:34:57 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-05-05 17:50:06 -------- d-----w C:\Program Files\BFG
2007-05-02 01:00:02 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-04-07 06:22:49 65,536 ----a-w C:\WINDOWS\IFinst27.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{6B484589-D710-AD92-4F14-888DBD24D5B9}=C:\WINDOWS\system32\ywda.dll []
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{BDF3E430-B101-42AD-A544-FADC6B084872}=c:\Program Files\Norton AntiVirus\NavShExt.dll [2002-11-15 08:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 21:56]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 08:01]
"nwiz"="nwiz.exe" [2002-12-12 03:00 C:\WINDOWS\system32\nwiz.exe]
"NAV CfgWiz"="c:\PROGRA~1\NORTON~1\Cfgwiz.exe" [2002-11-15 08:08]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-11-15 03:29]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-15 03:29]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 C:\WINDOWS\ALCXMNTR.EXE]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:40]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 17:40]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:40]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 10:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll,nViewLoadHook" []
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480

Contents of the 'Scheduled Tasks' folder
2007-07-02 15:27:01 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-02 19:16:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-02 19:17:36
C:\ComboFix-quarantined-files.txt ... 2007-07-02 19:17
C:\ComboFix2.txt ... 2007-07-02 08:45
C:\ComboFix3.txt ... 2007-07-01 23:58

--- E O F ---

HJT Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:20:14 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\misc\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6B484589-D710-AD92-4F14-888DBD24D5B9} - C:\WINDOWS\system32\ywda.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1174424474562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174424615750
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\kbwajqha.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5915 bytes

07-02-2007, 08:21 PM	#3 (permalink)
ghsu Registered User Join Date: Jul 2007 Posts: 6 OS: XP SP2	Re: Please help me... Comp infected Thank you for replying so quickly. I have run both as you suggested. ComboFix Log: ComboFix 07-06-18.2 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe "Owner" - 2007-07-02 19:04:06 - Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-06-03 to 2007-07-03 ))))))))))))))))))))))))))))))) 2007-07-02 08:38 <DIR> d-------- C:\WINDOWS\Prefetch 2007-07-01 23:29 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-07-01 22:40 786,432 --ah----- C:\DOCUME~1\ADMINI~1.GEO\NTUSER.DAT 2007-07-01 22:40 <DIR> d---s---- C:\DOCUME~1\ADMINI~1.GEO\UserData 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\WINDOWS 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\VERITAS 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\Symantec 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\SampleView 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\Real 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\Leadertech 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\InterTrust 2007-07-01 22:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.GEO\APPLIC~1\GlobalSCAPE 2007-07-01 22:05 234,718 --a------ C:\Temp\aZ001.exe 2007-07-01 22:05 <DIR> dra------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor 2007-07-01 22:04 <DIR> d-------- C:\Temp\iee 2007-07-01 13:40 <DIR> d-------- C:\WINDOWS\system32\CO 2007-07-01 13:40 <DIR> d-------- C:\WINDOWS\system32\CG 2007-07-01 13:10 <DIR> d-------- C:\WINDOWS\LG_Inno 2007-06-30 09:44 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll 2007-06-30 09:38 <DIR> d-------- C:\Program Files\Microsoft Works 2007-06-30 09:37 <DIR> d-------- C:\Program Files\MSBuild 2007-06-30 09:09 <DIR> dr-h----- C:\MSOCache 2007-06-27 16:23 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll 2007-06-27 16:23 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-03 02:01:51 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-07-02 15:20:26 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\uTorrent 2007-07-02 05:05:43 -------- d-----w C:\Program Files\Windows NT 2007-07-01 23:57:38 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-07-01 01:56:51 11,973 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-06-30 16:05:44 -------- d-----w C:\Program Files\Microsoft ActiveSync 2007-06-30 04:01:17 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\dvdcss 2007-06-28 07:00:13 -------- d-----w C:\Program Files\NetAnts 2007-06-06 21:04:09 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-05-10 19:37:22 55,344 -c--a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT 2007-05-07 14:40:13 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\FALCOM 2007-05-06 16:39:46 -------- d-----w C:\Program Files\DAEMON Tools 2007-05-06 16:34:57 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-05-05 17:50:06 -------- d-----w C:\Program Files\BFG 2007-05-02 01:00:02 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-04-07 06:22:49 65,536 ----a-w C:\WINDOWS\IFinst27.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38] {6B484589-D710-AD92-4F14-888DBD24D5B9}=C:\WINDOWS\system32\ywda.dll [] {72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48] {BDF3E430-B101-42AD-A544-FADC6B084872}=c:\Program Files\Norton AntiVirus\NavShExt.dll [2002-11-15 08:09] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 21:56] "StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 08:01] "nwiz"="nwiz.exe" [2002-12-12 03:00 C:\WINDOWS\system32\nwiz.exe] "NAV CfgWiz"="c:\PROGRA~1\NORTON~1\Cfgwiz.exe" [2002-11-15 08:08] "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-11-15 03:29] "ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-15 03:29] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 C:\WINDOWS\ALCXMNTR.EXE] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:40] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 17:40] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:40] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47] "UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 10:19] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIEW"="nview.dll,nViewLoadHook" [] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] AutoRun\command- D:\Info.exe folder.htt 480 480 Contents of the 'Scheduled Tasks' folder 2007-07-02 15:27:01 C:\WINDOWS\tasks\Symantec NetDetect.job ************************************************************************ catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-02 19:16:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ Completion time: 2007-07-02 19:17:36 C:\ComboFix-quarantined-files.txt ... 2007-07-02 19:17 C:\ComboFix2.txt ... 2007-07-02 08:45 C:\ComboFix3.txt ... 2007-07-01 23:58 --- E O F --- HJT Log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 7:20:14 PM, on 7/2/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\ALCXMNTR.EXE c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\system32\conime.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Owner\Desktop\misc\HiJackThis_v2.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {6B484589-D710-AD92-4F14-888DBD24D5B9} - C:\WINDOWS\system32\ywda.dll (file missing) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1174424474562 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174424615750 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\kbwajqha.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- End of file - 5915 bytes